CVE-2026-44609: Local privilege escalation due to EXE hijacking vulnerability
Local privilege escalation due to EXE hijacking vulnerability. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.15051.93227.
Metrics
- CVSS v3.0
- 7.3
- Severity
- HIGH
- Fixed in
- 9.0.15051.93227
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An EXE hijacking vulnerability in Acronis DeviceLock DLP for Windows allows a local attacker with a low-privilege account to escalate their privileges on the affected host. Exploitation requires the attacker to already have a shell or process on the machine, hold a standard user account, and trick another user into triggering the malicious executable. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected system. A patched-image rebuild at version 9.0.15051.93227 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment - the CVE is matched against customer images within minutes of ingestion from upstream feeds, including custom-built Windows-based container images that bundle Acronis DeviceLock DLP. Any image containing a vulnerable version of the affected package is flagged automatically in both registry scans and CI/CD pipeline checks.
AvailableHarborGuard scores this CVE at CVSS 7.3 HIGH and weights it against each environment's compliance policy to determine urgency and routing. Triage findings are delivered to the appropriate team inbox within each customer organization based on asset ownership and policy configuration.
AvailableA patched-image rebuild at Acronis DeviceLock DLP version 9.0.15051.93227 becomes available on HarborGuard for any environment where the affected version is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the service is required.
- AuthenticationRequired
Any low-privilege local account is sufficient - no administrative credentials are needed to initiate the attack.
- Victim interactionRequired
A second user on the system must trigger the hijacked executable, requiring the attacker to socially engineer or otherwise cause that interaction.
- Attack complexityDetail
Attack complexity is low - the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.
Blast Radius
- Reads sensitive files, credentials, or data accessible on the host system.
- Modifies or overwrites files, configurations, and persisted data on the affected machine.
- Crashes, disrupts, or takes full control of the affected service or operating system processes.
- Gains elevated privileges that allow lateral movement or installation of persistent malicious software on the host.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-44609 is active across all scanning environments, matching images that bundle Acronis DeviceLock DLP below build 9.0.15051.93227. A patched-image rebuild at the fixed version is available the moment an affected image is identified. Where compliance policy permits, customers with auto-remediation enabled receive a rebuilt image, a regression test run, and a PR opened against affected workloads - median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments. For environments where auto-remediation is not enabled, the finding is surfaced in the HarborGuard dashboard with the fixed version clearly indicated so engineering teams can act immediately.
Fix available
- Acronis / Acronis DeviceLock DLP< 9.0.15051.93227 (from unspecified)
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H